1.4.2 Enable 'service password-encryption'

Information

When password encryption is enabled, the encrypted form of the passwords is displayed when a more system:running-config command is entered.

This requires passwords to be encrypted in the configuration file to prevent unauthorized users from learning the passwords just by reading the configuration. When not enabled, many of the device's passwords will be rendered in plain text in the configuration file. This service ensures passwords are rendered as encrypted strings preventing an attacker from easily determining the configured value.

Solution

Enable password encryption service to protect sensitive access passwords in the device configuration.

hostname(config)#service password-encryption

Impact:

Organizations implementing 'service password-encryption' reduce the risk of unauthorized users learning clear text passwords to Cisco IOS configuration files. However, the algorithm used is not designed to withstand serious analysis and should be treated like clear-text.

See Also

https://workbench.cisecurity.org/benchmarks/17130

Item Details

Category: IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|IA-5(1), 800-53|SC-28, 800-53|SC-28(1), CSCv7|16.4

Plugin: Cisco

Control ID: d114e8ee10759b2183d620ef86fc1b19bdbe16fb7ebe2ccf882e2754806fc58d